The /api/lead-capture route added with the React consulting v3 page (#4777) is a public endpoint that spends the JotForm API key and fires the Power Automate CRM flow on every call, with nothing gating it:
- Middleware only sets headers — no auth, origin check, or rate limit
- The
*.azurewebsites.net origin and preview slots bypass Cloudflare entirely
- JotForm's own limit is just a daily API-call quota (hitting it blocks legit submissions too), and the API path bypasses the form's built-in CAPTCHA
So it can be scripted to spam leads into both JotForm and the CRM.
Fix: require a Cloudflare Turnstile token (we already have a Cloudflare account; Turnstile is free) before the route does any JotForm/CRM work — fail closed.
While here, also restore a few fixes prepared during review of #4777 that didn't land: SEO metadata on the React page, process step zero-padding, Tailwind token usage, and the removed next/image objectFit prop.
Affected routes: /consulting/react
The
/api/lead-captureroute added with the React consulting v3 page (#4777) is a public endpoint that spends the JotForm API key and fires the Power Automate CRM flow on every call, with nothing gating it:*.azurewebsites.netorigin and preview slots bypass Cloudflare entirelySo it can be scripted to spam leads into both JotForm and the CRM.
Fix: require a Cloudflare Turnstile token (we already have a Cloudflare account; Turnstile is free) before the route does any JotForm/CRM work — fail closed.
While here, also restore a few fixes prepared during review of #4777 that didn't land: SEO metadata on the React page, process step zero-padding, Tailwind token usage, and the removed next/image
objectFitprop.Affected routes:
/consulting/react